Evidently there has been some confusion about the status of the security at the FBC Hackfests and PLUG status of continued Festing or for my participation? I am cogniscient of responsible process required for any LUG regular function, as was discussed with Hans and Alan D. when I promoted these monthly venues under the PLUG name. I recently wrote a statement related to limiting regular lab activities to "presentation only" (below) whereupon we walk through, via overhead presentation materials, various functions and features of Backtrack4 (and other linux security distributions), where members can bring their own equipment and follow along. We are wasting a good deal of time, while leaving open systems to risk with our lab festing. Our changed model will include a quarterly HackFest LAB, with full forensics and IDS safeguarding, however, ANY PLUG member attending any pentest security test tool lab event plugging into a shared (wired or wireless) network needs to understand fully the risks, therefore registration will be required. We hope to have an updated website to provide that under Drupal 6 at some point, otherwise, we will use another social networking portal tools; watch for the announcements. Shared networks are setup CAREFULLY for a very good reason, with adequate trust, authentication, and full identification/verification of who exactly we are allowing to what. During hackfests, we boot into LiveCD's, use shared "private network" (while someone inevitably plugs into the wired network) which brings all machines accessing any resources on that shared network into danger from mis-applied TRUST. Generally extensive forensics occur also - I setup IDS, file and network log veracity for all events. Charles with the Foundation for Blind Children has ensured (from his years of experience) that the networks are completely isolated (which is a big monthly job requiring a good deal of resources); we have not had PLUG members step up willing to assist forensics projects, systems setup, presentations or promotion. We cannot protect the Foundation's hard drives (where Linux tool LiveCD's are booted), the PLUG members machines, or local wireless router from "tools" on Backtrack4 and are finding that the benefits for the number of people who show up, do not outweigh the work put in by Eldric and his crew, or the risk. Reading the logs, I find a great many processes that cannot be easily tied to the signup sheet and clearly constitute FLAGS (however unannounced). (In our postulated quarterly LAB HackFest events, we will assign by MAC address, to tie to registration information/IP for IDS/log Xreference). Advanced exploit forensics appear in logs that do not follow the presentation materials or the subject of the tag team event. Evidence of new changes (each system undergoes preliminary forensic file tiger signature being going over to FBC) and even persistent attempts to retain access when the machine is restored to my local network have been verified from more than one event. None of these are FLAGS that have been announced by the members, which is the verbiage that is agreed to via the signup sheet, and verbally announced to all during every event. If I cannot protect my machines (which are always seriously targeted) or my lab demo boxes (brute forced SSH - access and attempts to log scrub - caught with keylogger), and FLAGS are never announced, I cannot allow booting BackTrack4 to machines with drives owned by FBC. To ignore the logs without stating I am aware of this risk is not acceptable, and would be irresponsibly criminal. To fail to inform all related to these risks, as well as state the full situation, while also training about acceptable RISK and shared network TRUST, to the PLUG members, would also have been less than responsible. It is worth noting that someone who was at our last event, questioned (suddenly) if his equipment could have been at risk, evidently even some of the most astute PLUG members are not aware, even by signing the Disclaimer, that their systems are at risk at any time in a pentest/hackfest environment or public venue (even a coffee shop)? Further the PLUG event experience has been less than rewarding for those attending as we get setup, and watch things behind the scenes, where a presentation session, which can be regularly relied upon, about a certain section or aspect of linux security tools, would be exceptionally rewarding. Watching another do, people can record DVD or download presentation materials. We can setup Backtrack4 screen logging/recording and have accomplished something worthwhile during the events, rather than all muck around alone, leave frustrated, etc. We therefore will go to a limited format atmosphere, without full networking, devoted currently to BackTrack4. Members can carry on via their own equipment, watching the screen, as I (and guest presenters) go through materials on LiveCD pentesting tools in typical PLUG full-duplex communications mode (making suggestions or building on the subject, as we play). I, having started the regular HackFests, with Hans and Alan's blessing, shall continue in the administrative support role, requesting LiveCD security pentest presentations (Backtrack4) from the PLUG community or pulling up something regularly myself. The PLUG will continue to provide presentation materials on a local linux zine (no longer on LinuxGazette [who was not able to continue to regularly publish our materials with adequate lead time, and announced widely our events (Backtrack4 is contraversial)]) like LXER.COM or LinuxJournal (whose editors are active in our PLUG) or another regular venue for the next month. Stay tuned for more related to advance presentation materials! We apologize to anyone if there has been some misunderstanding and hope to see you all at the next event next week at http://plug.phoenix.az.us/node/660 in our new time zone: TEN to 1PM on Saturday the 12th of September! At the Foundation for Blind Children's Administrative Offices. On 8/31/09, Lisa Kachold wrote: > I finally got moved in after all the new townhouse repairs and have > sorted out and evaluated all the technical details from the past two > hackfests at the Foundation for Blind Ch ildren. > > I have found: > > 1) Multiple successful exploits against my own equipment (4 prior > Hackfests starting from the first at UAT - 3 systems totally pwned). > 2) Escalated access retention in the way of processes set in place to > retain access vi port 443 out to various local cox DHCP addresses on > two of my linux machines from the last Hackfest and from low level > exploits in a Vista system. > 3) Access to harddrive on systems booted into USB or DVD Backtrack3/4 > from various local and network users (2 builds accessed on my own > equipment historically). > > There is no way to protect a local shared network outside of TRUST. > Unless we can assign an IP address to each person who provides their > address, name, phone number and signs a legally binding agreement, we > cannot continue. > > If I cannot TRUST to keep my systems safe, we cannot continue to > endanger the networks of the Foundation for Blind Children by allowing > networking access with pentest tools. > > HackFests will continue in presentation only format. No networks, no > access to school machines with LiveCD's or USB keys will be allowed. > > If users would like to bring their systems and follow along that is > find, but no Wireless access will be available (a WEP2 key is > available via decrypt in BT4 in 11 minutes). > > We will continue to provide media to people wanting to burn a DVD for > any linux security tool. > > -- > http://linuxgazette.net/165/kachold.html > (623)239-3392 > (503)754-4452 www.obnosis.com > -- (623)239-3392 (503)754-4452 www.obnosis.com http://www.obnosis.com/motivatebytruth/gnu-people.jpg --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss